Internet Engineering Task Force (IETF) K. Moriarty
Request for Comments: 6045 EMC
Category: Informational November 2010
ISSN: 2070-1721
Real-time Inter-network Defense (RID)
Abstract
Network security incidents, such as system compromises, worms,
viruses, phishing incidents, and denial of service, typically result
in the loss of service, data, and resources both human and system.
Network providers and Computer Security Incident Response Teams need
to be equipped and ready to assist in communicating and tracing
security incidents with tools and procedures in place before the
occurrence of an attack. Real-time Inter-network Defense (RID)
outlines a proactive inter-network communication method to facilitate
sharing incident handling data while integrating existing detection,
tracing, source identification, and mitigation mechanisms for a
complete incident handling solution. Combining these capabilities in
a communication system provides a way to achieve higher security
levels on networks. Policy guidelines for handling incidents are
recommended and can be agreed upon by a consortium using the security
recommendations and considerations.
RID has found use within the international research communities, but
has not been widely adopted in other sectors. This publication
provides the specification to those communities that have adopted it,
and communities currently considering solutions for real-time inter-
network defense. The specification may also accelerate development
of solutions where different transports or message formats are
required by leveraging the data elements and structures specified
here.
Moriarty Informational [Page 1]RFC 6045 RID November 2010Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6045.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Moriarty Informational [Page 2]RFC 6045 RID November 2010Table of Contents
1. Introduction ....................................................4
1.1. Normative and Informative ..................................6
1.2. Terminology ................................................6
1.3. Attack Types and RID Messaging .............................6
2. RID Integration with Network Provider Technologies ..............8
3. Characteristics of Attacks ......................................9
3.1. Integrating Trace Approaches ..............................11
3.2. Superset of Packet Information for Traces .................11
4. Communication between Network Providers ........................12
4.1. Inter-Network Provider RID Messaging ......................14
4.2. RID Network Topology ......................................16
4.3. Message Formats ...........................................17
4.3.1. RID Data Types .....................................17
4.3.1.1. Boolean ...................................17
4.3.2. RID Messages and Transport .........................18
4.3.3. IODEF-RID Schema ...................................19
4.3.3.1. RequestStatus Class .......................21
4.3.3.2. IncidentSource Class ......................23